googleauth 0.1.0 → 0.16.2

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,43 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project,
+and in the interest of fostering an open and welcoming community,
+we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project
+a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information,
+such as physical or electronic
+addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project.
+Project maintainers who do not follow or enforce the Code of Conduct
+may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported by opening an issue
+or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0,
+available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

data/Gemfile

@@ -1,4 +1,25 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in googleauth.gemspec
 gemspec
+
+group :development do
+  gem "bundler", ">= 1.9"
+  gem "coveralls", "~> 0.7"
+  gem "fakefs", "~> 0.6"
+  gem "fakeredis", "~> 0.5"
+  gem "google-style", "~> 1.25.1"
+  gem "logging", "~> 2.0"
+  gem "minitest", "~> 5.14"
+  gem "minitest-focus", "~> 1.1"
+  gem "rack-test", "~> 0.6"
+  gem "rake", "~> 13.0"
+  gem "redis", "~> 3.2"
+  gem "rspec", "~> 3.0"
+  gem "simplecov", "~> 0.9"
+  gem "sinatra"
+  gem "webmock", "~> 3.8"
+end
+
+gem "faraday", ">= 0.17.3", "< 2.0"
+gem "gems", "~> 1.2"

data/README.md

@@ -1,14 +1,13 @@
-# Google Auth Library for Ruby 
+# Google Auth Library for Ruby
 
 <dl>
-  <dt>Homepage</dt><dd><a href="http://www.github.com/google/google-auth-library-ruby">http://www.github.com/google/google-auth-library-ruby</a></dd>
+  <dt>Homepage</dt><dd><a href="http://www.github.com/googleapis/google-auth-library-ruby">http://www.github.com/googleapis/google-auth-library-ruby</a></dd>
   <dt>Authors</dt><dd><a href="mailto:temiola@google.com">Tim Emiola</a></dd>
   <dt>Copyright</dt><dd>Copyright © 2015 Google, Inc.</dd>
   <dt>License</dt><dd>Apache 2.0</dd>
 </dl>
 
-[![Build Status](https://secure.travis-ci.org/google/google-auth-library-ruby.png)](http://travis-ci.org/google/google-auth-library-ruby)
-[![Dependency Status](https://gemnasium.com/google/google-auth-library-ruby.png)](https://gemnasium.com/google/google-auth-library-ruby)
+[![Gem Version](https://badge.fury.io/rb/googleauth.svg)](http://badge.fury.io/rb/googleauth)
 
 ## Description
 
@@ -36,8 +35,9 @@ $ gem install googleauth
 require 'googleauth'
 
 # Get the environment configured authorization
-scope = 'https://www.googleapis.com/auth/userinfo.profile'
-authorization = Google::Auth.get_application_default(scope)
+scopes =  ['https://www.googleapis.com/auth/cloud-platform',
+           'https://www.googleapis.com/auth/compute']
+authorization = Google::Auth.get_application_default(scopes)
 
 # Add the the access token obtained using the authorization to a hash, e.g
 # headers.
@@ -59,18 +59,142 @@ and authorization level for the application independent of the user. This is
 the recommended approach to authorize calls to Cloud APIs, particularly when
 you're building an application that uses Google Compute Engine.
 
-## What about auth in google-apis-ruby-client?
+## User Credentials
 
-The goal is for all auth done by
-[google-apis-ruby-client][google-apis-ruby-client] to be performed by this
-library. I.e, eventually google-apis-ruby-client will just take a dependency
-on this library.  This update is a work in progress, but should be completed
-by Q2 2015.
+The library also provides support for requesting and storing user
+credentials (3-Legged OAuth2.) Two implementations are currently available,
+a generic authorizer useful for command line apps or custom integrations as
+well as a web variant tailored toward Rack-based applications.
+
+The authorizers are intended for authorization use cases. For sign-on,
+see [Google Identity Platform](https://developers.google.com/identity/)
+
+### Example (Web)
+
+```ruby
+require 'googleauth'
+require 'googleauth/web_user_authorizer'
+require 'googleauth/stores/redis_token_store'
+require 'redis'
+
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+scope = ['https://www.googleapis.com/auth/drive']
+token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
+authorizer = Google::Auth::WebUserAuthorizer.new(
+  client_id, scope, token_store, '/oauth2callback')
+
+
+get('/authorize') do
+  # NOTE: Assumes the user is already authenticated to the app
+  user_id = request.session['user_id']
+  credentials = authorizer.get_credentials(user_id, request)
+  if credentials.nil?
+    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
+  end
+  # Credentials are valid, can call APIs
+  # ...
+end
+
+get('/oauth2callback') do
+  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
+    request)
+  redirect target_url
+end
+```
+
+### Example (Command Line)
+
+```ruby
+require 'googleauth'
+require 'googleauth/stores/file_token_store'
+
+OOB_URI = 'urn:ietf:wg:oauth:2.0:oob'
+
+scope = 'https://www.googleapis.com/auth/drive'
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+token_store = Google::Auth::Stores::FileTokenStore.new(
+  :file => '/path/to/tokens.yaml')
+authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store)
+
+credentials = authorizer.get_credentials(user_id)
+if credentials.nil?
+  url = authorizer.get_authorization_url(base_url: OOB_URI )
+  puts "Open #{url} in your browser and enter the resulting code:"
+  code = gets
+  credentials = authorizer.get_and_store_credentials_from_code(
+    user_id: user_id, code: code, base_url: OOB_URI)
+end
+
+# OK to use credentials
+```
+
+### Example (Service Account)
+
+```ruby
+scope = 'https://www.googleapis.com/auth/androidpublisher'
+
+authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: File.open('/path/to/service_account_json_key.json'),
+  scope: scope)
+
+authorizer.fetch_access_token!
+```
+
+### Example (Environment Variables)
+
+```bash
+export GOOGLE_ACCOUNT_TYPE=service_account
+export GOOGLE_CLIENT_ID=000000000000000000000
+export GOOGLE_CLIENT_EMAIL=xxxx@xxxx.iam.gserviceaccount.com
+export GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
+```
+
+```ruby
+require 'googleauth'
+require 'google/apis/drive_v3'
+
+Drive = ::Google::Apis::DriveV3
+drive = Drive::DriveService.new
+
+# Auths with ENV vars:
+# "GOOGLE_CLIENT_ID",
+# "GOOGLE_CLIENT_EMAIL",
+# "GOOGLE_ACCOUNT_TYPE", 
+# "GOOGLE_PRIVATE_KEY"
+auth = ::Google::Auth::ServiceAccountCredentials
+  .make_creds(scope: 'https://www.googleapis.com/auth/drive')
+drive.authorization = auth
+
+list_files = drive.list_files()
+
+```
+
+### Storage
+
+Authorizers require a storage instance to manage long term persistence of
+access and refresh tokens. Two storage implementations are included:
+
+*   Google::Auth::Stores::FileTokenStore
+*   Google::Auth::Stores::RedisTokenStore
+
+Custom storage implementations can also be used. See
+[token_store.rb](https://googleapis.dev/ruby/googleauth/latest/Google/Auth/TokenStore.html) for additional details.
+
+## Supported Ruby Versions
+
+This library is supported on Ruby 2.5+.
+
+Google provides official support for Ruby versions that are actively supported
+by Ruby Core—that is, Ruby versions that are either in normal maintenance or in
+security maintenance, and not end of life. Currently, this means Ruby 2.5 and
+later. Older versions of Ruby _may_ still work, but are unsupported and not
+recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details
+about the Ruby support schedule.
 
 ## License
 
 This library is licensed under Apache 2.0. Full license text is
-available in [COPYING][copying].
+available in [LICENSE][license].
 
 ## Contributing
 
@@ -84,7 +208,6 @@ hesitate to
 [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
 about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
-[google-apis-ruby-client]: (https://github.com/google/google-api-ruby-client)
-[application default credentials]: (https://developers.google.com/accounts/docs/application-default-credentials)
-[contributing]: https://github.com/google/google-auth-library-ruby/tree/master/CONTRIBUTING.md
-[copying]: https://github.com/google/google-auth-library-ruby/tree/master/COPYING
+[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
+[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
+[license]: https://github.com/googleapis/google-auth-library-ruby/tree/master/LICENSE

data/googleauth.gemspec

@@ -1,39 +1,39 @@
 # -*- ruby -*-
 # encoding: utf-8
-$LOAD_PATH.push File.expand_path('../lib', __FILE__)
-require 'googleauth/version'
 
-Gem::Specification.new do |s|
-  s.name          = 'googleauth'
-  s.version       = Google::Auth::VERSION
-  s.authors       = ['Tim Emiola']
-  s.email         = 'temiola@google.com'
-  s.homepage      = 'https://github.com/google/google-auth-library-ruby'
-  s.summary       = 'Google Auth Library for Ruby'
-  s.license       = "Apache-2.0"
-  s.description   = <<-eos
+$LOAD_PATH.push File.expand_path("lib", __dir__)
+require "googleauth/version"
+
+Gem::Specification.new do |gem|
+  gem.name          = "googleauth"
+  gem.version       = Google::Auth::VERSION
+  gem.authors       = ["Tim Emiola"]
+  gem.email         = "temiola@google.com"
+  gem.homepage      = "https://github.com/googleapis/google-auth-library-ruby"
+  gem.summary       = "Google Auth Library for Ruby"
+  gem.license       = "Apache-2.0"
+  gem.description   = <<-DESCRIPTION
    Allows simple authorization for accessing Google APIs.
    Provide support for Application Default Credentials, as described at
    https://developers.google.com/accounts/docs/application-default-credentials
-  eos
+  DESCRIPTION
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- spec/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*.rb`.split("\n").map do |f|
-    File.basename(f)
+  gem.files         = `git ls-files`.split "\n"
+  gem.test_files    = `git ls-files -- spec/*`.split "\n"
+  gem.executables   = `git ls-files -- bin/*.rb`.split("\n").map do |f|
+    File.basename f
   end
-  s.require_paths = ['lib']
-  s.platform      = Gem::Platform::RUBY
+  gem.require_paths = ["lib"]
+
+  gem.platform      = Gem::Platform::RUBY
+  gem.required_ruby_version = ">= 2.5"
 
-  s.add_dependency 'faraday', '~> 0.9'
-  s.add_dependency 'logging', '~> 1.8'
-  s.add_dependency 'jwt', '~> 1.2.1'
-  s.add_dependency 'memoist', '~> 0.11.0'
-  s.add_dependency 'multi_json', '1.10.1'
-  s.add_dependency 'signet', '~> 0.6.0'
+  gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
+  gem.add_dependency "jwt", ">= 1.4", "< 3.0"
+  gem.add_dependency "memoist", "~> 0.16"
+  gem.add_dependency "multi_json", "~> 1.11"
+  gem.add_dependency "os", ">= 0.9", "< 2.0"
+  gem.add_dependency "signet", "~> 0.14"
 
-  s.add_development_dependency 'bundler', '~> 1.7'
-  s.add_development_dependency 'rake', '~> 10.0'
-  s.add_development_dependency 'rubocop', '~> 0.28.0'
-  s.add_development_dependency 'rspec', '~> 3.0'
+  gem.add_development_dependency "yard", "~> 0.9"
 end

data/integration/helper.rb

@@ -0,0 +1,31 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "minitest/autorun"
+require "minitest/focus"
+require "googleauth"

data/integration/id_tokens/key_source_test.rb

@@ -0,0 +1,74 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "helper"
+
+describe Google::Auth::IDTokens do
+  describe "key source" do
+    let(:legacy_oidc_key_source) {
+      Google::Auth::IDTokens::X509CertHttpKeySource.new "https://www.googleapis.com/oauth2/v1/certs"
+    }
+    let(:oidc_key_source) { Google::Auth::IDTokens.oidc_key_source }
+    let(:iap_key_source) { Google::Auth::IDTokens.iap_key_source }
+
+    it "Gets real keys from the OAuth2 V1 cert URL" do
+      keys = legacy_oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets real keys from the OAuth2 V3 cert URL" do
+      keys = oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets the same keys from the OAuth2 V1 and V3 cert URLs" do
+      keys_v1 = legacy_oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      keys_v3 = oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      assert_equal keys_v1, keys_v3
+    end
+
+    it "Gets real keys from the IAP public key URL" do
+      keys = iap_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::EC, key.key
+        assert_equal "ES256", key.algorithm
+      end
+    end
+  end
+end

data/lib/googleauth.rb

@@ -27,40 +27,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/service_account'
-require 'googleauth/compute_engine'
-
-module Google
-  # Module Auth provides classes that provide Google-specific authorization
-  # used to access Google APIs.
-  module Auth
-    NOT_FOUND_ERROR = <<END
-Could not load the default credentials. Browse to
-https://developers.google.com/accounts/docs/application-default-credentials
-for more information
-END
-
-    # Obtains the default credentials implementation to use in this
-    # environment.
-    #
-    # Use this to obtain the Application Default Credentials for accessing
-    # Google APIs.  Application Default Credentials are described in detail
-    # at http://goo.gl/IUuyuX.
-    #
-    # If supplied, scope is used to create the credentials instance, when it
-    # can applied.  E.g, on compute engine, the scope is ignored.
-    #
-    # @param scope [string|array] the scope(s) to access
-    # @param options [hash] allows override of the connection being used
-    def get_application_default(scope, options = {})
-      creds = ServiceAccountCredentials.from_env(scope)
-      return creds unless creds.nil?
-      creds = ServiceAccountCredentials.from_well_known_path(scope)
-      return creds unless creds.nil?
-      fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
-      GCECredentials.new
-    end
-
-    module_function :get_application_default
-  end
-end
+require "googleauth/application_default"
+require "googleauth/client_id"
+require "googleauth/credentials"
+require "googleauth/default_credentials"
+require "googleauth/id_tokens"
+require "googleauth/user_authorizer"
+require "googleauth/web_user_authorizer"